Android Toast Flaw Can Burn Users with Malware, DoS and Info-Theft

A vulnerability in the Android platform has been uncovered that could be used to take control of devices, lock them and/or steal information.

Palo Alto Networks Unit 42 researchers found the flaw, which can be used to more easily enable an “overlay attack.” In a worst-case attack scenario, this vulnerability could be used to render the phone unusable or to install any kind of malware, including ransomware or information stealers.

“An overlay attack is an attack where an attacker’s app draws a window over (or overlays) other windows and apps running on the device,” the researchers explained in an analysis. “When done successfully, this can enable an attacker to convince the user he or she is clicking one window when, in fact, he or she is actually clicking another window. As example [is] where an attacker is making it appear that the user is clicking to install a patch when in fact the user is clicking to grant the Porn Droid malware full administrator permissions on the device.”

Essentially, bad actors can use this to trick a user into installing malware on their device, or trick them into giving the malware full administrative privileges on the device. An overlay attack can also be used to create a denial-of-service condition on the device by raising windows on the device that don’t go away—this is the same approach attackers use with ransomware attacks on mobile devices.

“Overlay attacks aren’t new; they’ve been discussed before,” the researchers said. “But until now…everyone has believed that malicious apps attempting to carry out overlay attacks must overcome two significant hurdles to be successful: They must explicitly request the ‘draw on top’ permission from the user when installed; and they must be installed from Google Play.”

As such, they haven’t been considered a serious threat—but this discovery changes that.

The Unit 42 research shows that the new vulnerability provides a way to carry out overlay attacks simply by installing malicious apps (including those from websites and app stores other than Google Play). That’s because the flaw is within an Android feature known as Toast, which is a type of notification window that “pops” (like toast) on the screen to display messages and notifications over other apps. It doesn’t require the same permissions as other overlay attack avenues.

The issue does not affect Android 8.0 Oreo, the latest version; but it does affect all prior versions of Android. Patches are available as part of the September 2017 Android Security Bulletin.

“Most people who run Android run versions that are vulnerable. This means that it’s critical for all Android users on versions before 8.0 to get updates for their devices,” the researchers added.